Ben Vincent
d8b354558d
- add fact to export vault public cert from agents - add fact to export list of trusted incus client certs - add method for incus clients to export their client cert to be trusted Reviewed-on: #406
42 lines
1.7 KiB
Puppet
42 lines
1.7 KiB
Puppet
# Define the exported resource type for incus client certificates
|
|
define incus::client_cert (
|
|
String $hostname,
|
|
Optional[String] $certificate = undef,
|
|
Optional[String] $fingerprint = undef,
|
|
) {
|
|
|
|
# Only proceed if we have both certificate and fingerprint
|
|
if $certificate and $fingerprint {
|
|
|
|
$trust_list = $facts['incus_trust_list']
|
|
$existing_client = $trust_list.filter |$client| { $client['name'] == $hostname }
|
|
|
|
if $existing_client.empty {
|
|
# Add new certificate
|
|
exec { "incus_trust_add_${hostname}":
|
|
path => ['/bin', '/usr/bin'],
|
|
command => "echo '${certificate}' > /tmp/${hostname}.crt && \
|
|
incus config trust add-certificate /tmp/${hostname}.crt --name ${hostname} && \
|
|
rm -f /tmp/${hostname}.crt",
|
|
unless => "incus config trust list --format=json | grep '\"name\":\"${hostname}\"'",
|
|
}
|
|
} else {
|
|
# Check if fingerprints are different
|
|
$existing_fingerprint = $existing_client[0]['fingerprint']
|
|
|
|
if $existing_fingerprint != $fingerprint {
|
|
# Remove existing and add new certificate only if fingerprints differ
|
|
exec { "incus_trust_update_${hostname}":
|
|
path => ['/bin', '/usr/bin'],
|
|
command => "incus config trust remove ${existing_fingerprint} && \
|
|
echo '${certificate}' > /tmp/${hostname}.crt && \
|
|
incus config trust add-certificate /tmp/${hostname}.crt --name ${hostname} && \
|
|
rm -f /tmp/${hostname}.crt",
|
|
onlyif => "incus config trust list --format=json | grep '${existing_fingerprint}'",
|
|
}
|
|
}
|
|
# If fingerprints match, do nothing (certificate is already correct)
|
|
}
|
|
}
|
|
}
|